1 CIS 5371 Cryptography 4. Collision Resistant Hash Functions B ased on: Jonathan Katz and Yehuda...
-
Upload
sharon-ward -
Category
Documents
-
view
237 -
download
2
Transcript of 1 CIS 5371 Cryptography 4. Collision Resistant Hash Functions B ased on: Jonathan Katz and Yehuda...
1
CIS 5371 Cryptography
4. Collision Resistant Hash Functions
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
2
Collision ResistanceA collision in a function H is a pair of distinct inputs x, x’ Collision resistance is trivial to achieve if compression is not required (take for example the identity function)We shall be dealing with a family of hash functions indexed by a key s.That is H will take as input a key s and a string x and output a string:
3
Definition 5.1, Hash Function
A hash function is a pair of probabilistic polynomial-time algorithms such that:• takes input the security parameter and outputs a key .• There is a polynomial such that takes as input a key and a string and .
5
Definition 4.12 Collision Resistant Hash Function
A hash function is collision resistant, if for all probabilistic polynomial-time adversaries there is a function such that: -
6
Weaker notions of security for Hash Functions 1. Collision resistance. The strongest notion, as defined earlier.2. Second pre-image resistance. Informally, given a key and a string it is infeasible for a probabilistic polynomial-time adversary to find such that 3. Pre-image resistance Informally, given a key and a string (but not ) for a randomly chosen it is infeasible for a probabilistic polynomial-time adversary to find such that
7
Weaker notions of security for Hash Functions 1.Collision resistance Second pre-image resistance If given the adversary can find such that pair
with 2.Second pre-image resistance Pre-image resistance If it were possible to invert and find an such that , then it would be possible to take a given input , compute , and then invert to find such that
8
Generic birthday attack Birthday problemLet be a hash function .Assume that the values are uniformly distributed in and independent .Assume that arbitrary inputs are selected.Then the probability that there is a collision using hash evaluations is greater that .½The time taken is .(One has to sort outputs---assume that one can evaluate a hash function in constant time.)
9
Improved birthday attack
Memory is a scarcer resource than time: storing hash evaluations is costly.
10
Improved birthday attack Improved birthday attackLet be a hash function.Select . For Compute and . If there is a collusion; else continue.It can be shown that we get a collision with probability roughly in steps.½
11
Construction 4.12 The Merkle-Damgaard transform is a fixed-length collision-resistant hash function with inputs of length and outputs . A variable-length hash function is constructed as follows.• : on input , output key .• H : on input and, do:1. Set , pad so that it can be parsed into blocks of length . Set ( bits). 2. Set .3. For , compute ).4. Output